Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before
3.2.15, and 3.3.x before 3.3.4 allows remote servers to cause a denial of service (memory corruption) or possibly
execute arbitrary code via a long session id in a ServerHello message.
--- a/lib/gnutls_handshake.c
+++ b/lib/gnutls_handshake.c
@@ -1751,7 +1751,7 @@
DECR_LEN(len, 1);
session_id_len = data[pos++];
- if (len < session_id_len) {
+ if (len < session_id_len || session_id_len > TLS_MAX_SESSION_ID_SIZE) {
gnutls_assert();
return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
}
ref:http://radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/
https://gitorious.org/gnutls/gnutls/commit/688ea6428a432c39203d00acd1af0e7684e5ddfd